diff --git a/cfg/config.yaml b/cfg/config.yaml index e017e43..0bc8abd 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -244,7 +244,7 @@ version_mapping: "1.18": "cis-1.6" "1.19": "cis-1.20" "1.20": "cis-1.20" - "eks-1.0": "eks-1.0" + "eks-1.0.1": "eks-1.0.1" "gke-1.0": "gke-1.0" "ocp-3.10": "rh-0.7" "ocp-3.11": "rh-0.7" @@ -278,7 +278,7 @@ target_mapping: - "etcd" - "policies" - "managedservices" - "eks-1.0": + "eks-1.0.1": - "master" - "node" - "controlplane" diff --git a/cfg/eks-1.0/config.yaml b/cfg/eks-1.0.1/config.yaml similarity index 100% rename from cfg/eks-1.0/config.yaml rename to cfg/eks-1.0.1/config.yaml diff --git a/cfg/eks-1.0/controlplane.yaml b/cfg/eks-1.0.1/controlplane.yaml similarity index 82% rename from cfg/eks-1.0/controlplane.yaml rename to cfg/eks-1.0.1/controlplane.yaml index f3c971d..7f3b0d7 100644 --- a/cfg/eks-1.0/controlplane.yaml +++ b/cfg/eks-1.0.1/controlplane.yaml @@ -1,6 +1,6 @@ --- controls: -version: "eks-1.0" +version: "eks-1.0.1" id: 2 text: "Control Plane Configuration" type: "controlplane" @@ -9,6 +9,6 @@ groups: text: "Logging" checks: - id: 2.1.1 - text: "Enable audit logs" + text: "Enable audit logs (Manual)" remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler." scored: false diff --git a/cfg/eks-1.0/managedservices.yaml b/cfg/eks-1.0.1/managedservices.yaml similarity index 64% rename from cfg/eks-1.0/managedservices.yaml rename to cfg/eks-1.0.1/managedservices.yaml index c8768e9..25b97d2 100644 --- a/cfg/eks-1.0/managedservices.yaml +++ b/cfg/eks-1.0.1/managedservices.yaml @@ -1,6 +1,6 @@ --- controls: -version: "eks-1.0" +version: "eks-1.0.1" id: 5 text: "Managed Services" type: "managedservices" @@ -9,78 +9,78 @@ groups: text: "Image Registry and Image Scanning" checks: - id: 5.1.1 - text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)" + text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.1.2 - text: "Minimize user access to Amazon ECR (Not Scored)" + text: "Minimize user access to Amazon ECR (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.1.3 - text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)" + text: "Minimize cluster access to read-only for Amazon ECR (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.1.4 - text: "Minimize Container Registries to only those approved (Not Scored)" + text: "Minimize Container Registries to only those approved (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.2 text: "Identity and Access Management (IAM)" checks: - id: 5.2.1 - text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)" + text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.3 - text: "AWS Key Management Service (AWS KMS)" + text: "AWS Key Management Service (KMS)" checks: - id: 5.3.1 - text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)" + text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.4 text: "Cluster Networking" checks: - id: 5.4.1 - text: "Restrict Access to the Control Plane Endpoint (Not Scored)" + text: "Restrict Access to the Control Plane Endpoint (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.4.2 - text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)" + text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.4.3 - text: "Ensure clusters are created with Private Nodes (Not Scored)" + text: "Ensure clusters are created with Private Nodes (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.4.4 - text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)" + text: "Ensure Network Policy is Enabled and set as appropriate (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false - id: 5.4.5 - text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)" + text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false @@ -88,9 +88,9 @@ groups: text: "Authentication and Authorization" checks: - id: 5.5.1 - text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)" + text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false @@ -98,7 +98,7 @@ groups: text: "Other Cluster Configurations" checks: - id: 5.6.1 - text: "Consider Fargate for running untrusted workloads (Not Scored)" + text: "Consider Fargate for running untrusted workloads (Manual)" type: "manual" - remediation: + remediation: "No remediation" scored: false diff --git a/cfg/eks-1.0/master.yaml b/cfg/eks-1.0.1/master.yaml similarity index 76% rename from cfg/eks-1.0/master.yaml rename to cfg/eks-1.0.1/master.yaml index a598528..ab39c0e 100644 --- a/cfg/eks-1.0/master.yaml +++ b/cfg/eks-1.0.1/master.yaml @@ -1,6 +1,6 @@ --- controls: -version: "eks-1.0" +version: "eks-1.0.1" id: 1 text: "Control Plane Components" type: "master" diff --git a/cfg/eks-1.0/node.yaml b/cfg/eks-1.0.1/node.yaml similarity index 78% rename from cfg/eks-1.0/node.yaml rename to cfg/eks-1.0.1/node.yaml index bf1c4c3..971601b 100644 --- a/cfg/eks-1.0/node.yaml +++ b/cfg/eks-1.0.1/node.yaml @@ -1,6 +1,6 @@ --- controls: -version: "eks-1.0" +version: "eks-1.0.1" id: 3 text: "Worker Node Security Configuration" type: "node" @@ -9,127 +9,62 @@ groups: text: "Worker Node Configuration Files" checks: - id: 3.1.1 - text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" - audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' + text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)" + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' tests: test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or remediation: | - Run the below command (based on the file location on your system) on each worker node. + Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 644 $proxykubeconfig - scored: true + chmod 644 $kubeletkubeconfig + scored: false - id: 3.1.2 - text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" - audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' + text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)" + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' tests: test_items: - flag: root:root - set: true remediation: | - Run the below command (based on the file location on your system) on each worker node. - For example, chown root:root $proxykubeconfig - scored: true + Run the below command (based on the file location on your system) on the each worker node. + For example, + chown root:root $kubeletkubeconfig + scored: false - id: 3.1.3 - text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" - audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' + text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)" + audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' tests: test_items: - - flag: "644" - set: true + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" - - flag: "640" - set: true - compare: - op: eq - value: "640" - - flag: "600" - set: true - compare: - op: eq - value: "600" - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or remediation: | - Run the following command (using the config file location identied in the Audit step) + Run the following command (using the config file location identified in the Audit step) chmod 644 $kubeletconf - scored: true + scored: false - id: 3.1.4 - text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" + text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' tests: test_items: - flag: root:root - set: true remediation: | - Run the following command (using the config file location identied in the Audit step) + Run the following command (using the config file location identified in the Audit step) chown root:root $kubeletconf - scored: true + scored: false - id: 3.2 text: "Kubelet" checks: - id: 3.2.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + text: "Ensure that the --anonymous-auth argument is set to false (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -153,7 +88,7 @@ groups: scored: true - id: 3.2.2 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -176,7 +111,7 @@ groups: scored: true - id: 3.2.3 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -194,10 +129,10 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false - id: 3.2.4 - text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + text: "Ensure that the --read-only-port argument is set to 0 (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -217,10 +152,10 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false - id: 3.2.5 - text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -245,10 +180,10 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false - id: 3.2.6 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -271,7 +206,7 @@ groups: scored: true - id: 3.2.7 - text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) " + text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) " audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -298,7 +233,7 @@ groups: scored: true - id: 3.2.8 - text: "Ensure that the --hostname-override argument is not set (Scored)" + text: "Ensure that the --hostname-override argument is not set (Manual)" # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. @@ -314,10 +249,10 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false - id: 3.2.9 - text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)" + text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -339,7 +274,7 @@ groups: scored: false - id: 3.2.10 - text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" + text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -364,10 +299,10 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false - id: 3.2.11 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" + text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -385,4 +320,4 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false diff --git a/cfg/eks-1.0/policies.yaml b/cfg/eks-1.0.1/policies.yaml similarity index 77% rename from cfg/eks-1.0/policies.yaml rename to cfg/eks-1.0.1/policies.yaml index 51f25a0..3b9aa8b 100644 --- a/cfg/eks-1.0/policies.yaml +++ b/cfg/eks-1.0.1/policies.yaml @@ -1,6 +1,6 @@ --- controls: -version: "eks-1.0" +version: "eks-1.0.1" id: 4 text: "Policies" type: "policies" @@ -9,7 +9,7 @@ groups: text: "RBAC and Service Accounts" checks: - id: 4.1.1 - text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + text: "Ensure that the cluster-admin role is only used where required (Manual)" type: "manual" remediation: | Identify all clusterrolebindings to the cluster-admin role. Check if they are used and @@ -20,14 +20,14 @@ groups: scored: false - id: 4.1.2 - text: "Minimize access to secrets (Not Scored)" + text: "Minimize access to secrets (Manual)" type: "manual" remediation: | Where possible, remove get, list and watch access to secret objects in the cluster. scored: false - id: 4.1.3 - text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)" + text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" type: "manual" remediation: | Where possible replace any use of wildcards in clusterroles and roles with specific @@ -35,14 +35,14 @@ groups: scored: false - id: 4.1.4 - text: "Minimize access to create pods (Not Scored)" + text: "Minimize access to create pods (Manual)" type: "manual" Remediation: | Where possible, remove create access to pod objects in the cluster. scored: false - id: 4.1.5 - text: "Ensure that default service accounts are not actively used. (Not Scored)" + text: "Ensure that default service accounts are not actively used. (Manual)" type: "manual" remediation: | Create explicit service accounts wherever a Kubernetes workload requires specific access @@ -52,7 +52,7 @@ groups: scored: false - id: 4.1.6 - text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)" + text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" type: "manual" remediation: | Modify the definition of pods and service accounts which do not need to mount service @@ -63,7 +63,7 @@ groups: text: "Pod Security Policies" checks: - id: 4.2.1 - text: "Minimize the admission of privileged containers (Not Scored)" + text: "Minimize the admission of privileged containers (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that @@ -71,7 +71,7 @@ groups: scored: false - id: 4.2.2 - text: "Minimize the admission of containers wishing to share the host process ID namespace (Not Scored)" + text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the @@ -79,7 +79,7 @@ groups: scored: false - id: 4.2.3 - text: "Minimize the admission of containers wishing to share the host IPC namespace (Not Scored)" + text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the @@ -87,7 +87,7 @@ groups: scored: false - id: 4.2.4 - text: "Minimize the admission of containers wishing to share the host network namespace (Not Scored)" + text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the @@ -95,7 +95,7 @@ groups: scored: false - id: 4.2.5 - text: "Minimize the admission of containers with allowPrivilegeEscalation (Not Scored)" + text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the @@ -103,7 +103,7 @@ groups: scored: false - id: 4.2.6 - text: "Minimize the admission of root containers (Not Scored)" + text: "Minimize the admission of root containers (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the @@ -112,7 +112,7 @@ groups: scored: false - id: 4.2.7 - text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)" + text: "Minimize the admission of containers with the NET_RAW capability (Automated)" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the @@ -120,7 +120,7 @@ groups: scored: false - id: 4.2.8 - text: "Minimize the admission of containers with added capabilities (Not Scored)" + text: "Minimize the admission of containers with added capabilities (Automated)" type: "manual" remediation: | Ensure that allowedCapabilities is not present in PSPs for the cluster unless @@ -128,7 +128,7 @@ groups: scored: false - id: 4.2.9 - text: "Minimize the admission of containers with capabilities assigned (Not Scored)" + text: "Minimize the admission of containers with capabilities assigned (Manual)" type: "manual" remediation: | Review the use of capabilities in applications running on your cluster. Where a namespace @@ -140,14 +140,14 @@ groups: text: "CNI Plugin" checks: - id: 4.3.1 - text: "Ensure that the latest CNI version is used (Not Scored)" + text: "Ensure that the latest CNI version is used (Manual)" type: "manual" remediation: | Review the documentation of AWS CNI plugin, and ensure latest CNI version is used. scored: false - id: 4.3.2 - text: "Ensure that all Namespaces have Network Policies defined (Not Scored)" + text: "Ensure that all Namespaces have Network Policies defined (Automated)" type: "manual" remediation: | Follow the documentation and create NetworkPolicy objects as you need them. @@ -157,7 +157,7 @@ groups: text: "Secrets Management" checks: - id: 4.4.1 - text: "Prefer using secrets as files over secrets as environment variables (Not Scored)" + text: "Prefer using secrets as files over secrets as environment variables (Manual)" type: "manual" remediation: | If possible, rewrite application code to read secrets from mounted secret files, rather than @@ -165,7 +165,7 @@ groups: scored: false - id: 4.4.2 - text: "Consider external secret storage (Not Scored)" + text: "Consider external secret storage (Manual)" type: "manual" remediation: | Refer to the secrets management options offered by your cloud provider or a third-party @@ -176,7 +176,7 @@ groups: text: "Extensible Admission Control" checks: - id: 4.5.1 - text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" type: "manual" remediation: | Follow the Kubernetes documentation and setup image provenance. @@ -186,7 +186,7 @@ groups: text: "General Policies" checks: - id: 4.6.1 - text: "Create administrative boundaries between resources using namespaces (Not Scored)" + text: "Create administrative boundaries between resources using namespaces (Manual)" type: "manual" remediation: | Follow the documentation and create namespaces for objects in your deployment as you need @@ -194,33 +194,7 @@ groups: scored: false - id: 4.6.2 - text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" - type: "manual" - remediation: | - Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you - would need to enable alpha features in the apiserver by passing "--feature- - gates=AllAlpha=true" argument. - Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS - parameter to "--feature-gates=AllAlpha=true" - KUBE_API_ARGS="--feature-gates=AllAlpha=true" - Based on your system, restart the kube-apiserver service. For example: - systemctl restart kube-apiserver.service - Use annotations to enable the docker/default seccomp profile in your pod definitions. An - example is as below: - apiVersion: v1 - kind: Pod - metadata: - name: trustworthy-pod - annotations: - seccomp.security.alpha.kubernetes.io/pod: docker/default - spec: - containers: - - name: trustworthy-container - image: sotrustworthy:latest - scored: false - - - id: 4.6.3 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" + text: "Apply Security Context to Your Pods and Containers (Manual)" type: "manual" remediation: | Follow the Kubernetes documentation and apply security contexts to your pods. For a @@ -228,8 +202,8 @@ groups: Containers. scored: false - - id: 4.6.4 - text: "The default namespace should not be used (Not Scored)" + - id: 4.6.3 + text: "The default namespace should not be used (Automated)" type: "manual" remediation: | Ensure that namespaces are created to allow for appropriate segregation of Kubernetes diff --git a/cmd/common_test.go b/cmd/common_test.go index e0f38d0..88b9dd6 100644 --- a/cmd/common_test.go +++ b/cmd/common_test.go @@ -438,8 +438,8 @@ func TestValidTargets(t *testing.T) { expected: true, }, { - name: "eks-1.0 valid", - benchmark: "eks-1.0", + name: "eks-1.0.1 valid", + benchmark: "eks-1.0.1", targets: []string{"node", "policies", "controlplane", "managedservices"}, expected: true, }, diff --git a/cmd/util.go b/cmd/util.go index a60ca86..732d083 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -455,7 +455,7 @@ func getPlatformBenchmarkVersion(platform string) string { glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform) switch platform { case "eks": - return "eks-1.0" + return "eks-1.0.1" case "gke": return "gke-1.0" case "aliyun": diff --git a/cmd/util_test.go b/cmd/util_test.go index 56e54e0..f125eb5 100644 --- a/cmd/util_test.go +++ b/cmd/util_test.go @@ -578,7 +578,7 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) { args: args{ platform: "eks", }, - want: "eks-1.0", + want: "eks-1.0.1", }, { name: "gke", diff --git a/docs/architecture.md b/docs/architecture.md index 5b5b854..525c0be 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -19,7 +19,7 @@ The following table shows the valid targets based on the CIS Benchmark version. | cis-1.6| master, controlplane, node, etcd, policies | |cis-1.20| master, controlplane, node, etcd, policies | | gke-1.0| master, controlplane, node, etcd, policies, managedservices | -| eks-1.0| controlplane, node, policies, managedservices | +| eks-1.0.1| controlplane, node, policies, managedservices | | ack-1.0| master, controlplane, node, etcd, policies, managedservices | | rh-0.7| master,node| | rh-1.0| master, controlplane, node, etcd, policies | diff --git a/docs/platforms.md b/docs/platforms.md index f9b4a72..ce6019b 100644 --- a/docs/platforms.md +++ b/docs/platforms.md @@ -11,7 +11,7 @@ Some defined by other hardenening guides. | CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 | | CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.20 | | CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE | -| CIS | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS | +| CIS | [EKS 1.0.1](https://workbench.cisecurity.org/benchmarks/6041) | eks-1.0.1 | EKS | | CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK | | CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS | | RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | diff --git a/job-eks-asff.yaml b/job-eks-asff.yaml index ecde08d..426c548 100644 --- a/job-eks-asff.yaml +++ b/job-eks-asff.yaml @@ -33,7 +33,7 @@ spec: # Push the image to your ECR and then refer to it here # image: image: aquasec/kube-bench:latest - command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0", "--asff"] + command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet @@ -45,7 +45,7 @@ spec: mountPath: /etc/kubernetes readOnly: true - name: kube-bench-eks-config - mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml" + mountPath: "/opt/kube-bench/cfg/eks-1.0.1/config.yaml" subPath: config.yaml readOnly: true restartPolicy: Never diff --git a/job-eks.yaml b/job-eks.yaml index cbad7f2..ed269e0 100644 --- a/job-eks.yaml +++ b/job-eks.yaml @@ -13,7 +13,7 @@ spec: # image: image: aquasec/kube-bench:latest # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead - command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0"] + command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet